Automotive Security: The Bad and the Ugly. Flavio Garcia University of Birmingham

Size: px

Start display at page:

Download "Automotive Security: The Bad and the Ugly. Flavio Garcia University of Birmingham"

Alaina Henderson
6 years ago
Views:

1 Automotive Security: The Bad and the Ugly Flavio Garcia University of Birmingham

2 The automotive industry has undergone a major transformation Digital Mechanical

Shift in Responsibility and Culture Mechanical OEMs traditionally shift responsibility to Tier 1 Suppliers Testing: Software EULA: This software is

3 Shift in Responsibility and Culture Mechanical OEMs traditionally shift responsibility to Tier 1 Suppliers Testing: Software EULA: This software is provided as is without warranty of any kind The entire risk arising out of use or performance of the this SOFTWARE remains with the user. Release now patch later

4 Challenges in Automotive Security Real-time critical functionality Low speed CAN networks even the `high-speed (40 Kb/s to 1 Mb/s) Black box integration of components Security (in general) not composable Obscurity Right to repair legislation Car tuning?

5 How is this all going so far? Not great Security is a Market for Lemons (and everyone is selling rotten ones) We lack an open discussion and more transparency about security (weaknesses) I ll give a few examples of this next.

Australia (AS/NZS 4601:1999) Canada (CAN/ULC S338-98) Do

6 Vehicle Immobilizers PassiveRFID Tag(125 KHz) Prevents hot-wiring Mandatory Europe(EU Directive 95/56/EC) Australia (AS/NZS 4601:1999) Canada (CAN/ULC S338-98) Do notconfuse itwithremote controls that unlock the car doors (433 MHz)

7 Hitag2 Usage

8 Makes & Models (2012)

9 Hitag2 Immobilizer transponder

10 Unbreakable security levels using mutual authentication, challenge-response and encrypted data communication

11 Hitag2 Authentication Protocol id = 32-bit identifier nr = reader nonce {ar} = encrypted reader answer {at} = encrypted transponder answer No tag nonce No mutual authentication

12 Hitag2 Cipher 48 bit internal state (LFSR stream a 0 a 1 ) a 0 a 31 = id 0 id 31 a 32 a 47 = k 0 k 15 a 48+i = k 16+i {nr} i ƒ(a i a 47+i ) i [0,31] Initialized LFSR = a 32 a 79

13 Hitag2 Cipher Dependencies between sessions Reader nonce (n R ) is only 32 bits LFSR 0 LFSR 15 are fixed over all sessions, regardless of n R

14 Hitag2 Cipher Filter function weakness 4 bits cover 14 bits of the internal state In 8 of the 32 configurations, the output of ƒ c is not influenced by the last (rightmost) input bit Probability ¼ the output is determined by the first 34 bits of the filter function

15 Cryptanalytic Attack Gather only 134 authentication attempts from the car (~1 minute) Use first cipher weakness to combine different reader nonces Try for every 2 34 cipher state (~5 minutes) Which ¼ of the 134 are useful to eliminate If first keystreambit of {ar} passes the test Verify handful of candidate keys Total attack time is 360 seconds This motivates the title of our Usenix 12 paper Gone in 360 Seconds: Hijacking with Hitag2

16 Immobilizer Demo

17 Responsible disclosure Notified the manufacturer NXP Responsible disclosure (6 months ahead) Verified and acknowledged our findings Collaborated constructively by discussing mitigating measures Immobilizer based on AES cost only a couple dollars more NXP: the attack does not work in a car-only scenario

18 Is this attack car-only? Not quite due to whitelisting of transponder id Remember: Whitelist: id 1 id 2 id 3

19 RKE System Active - Transmits on a different frequency (433Mhz) Often integrated with immobilizer in one hybrid chip Hybrid chip uses different secret key but the same id Can be eavesdropped from 100mts/300ft Also uses a weak cipher I will show evidence of that

20 Short RKE demo

21 How about the integration done by OEMs?

22 32-bit random numbers generated by a French car n R 0A D A

23 32-bit random numbers generated by a different French car

24 Korean car using: Default password MIKR And secret key 0xFFFF814632FF

25 Still looking forward to get one of those driverless cars?

26 Examples by others Checkowayet al showed how to take control of the vehicle by exploiting a buffer overflow on the CD player Koscheret al showed that you could take full control over a vehicle if you have physical access to the car

27 Future direction Securing critical functionality within the CAN network Key challenge is authenticity Securing vehicle-x communication Secure over-the-air firmware updates

28 Conclusion Security by obscurity often covers up bad designs (and poor implementations) The kind of mistakes we found have been sorted out decades ago by the software community We need better mechanisms to deal with security vulnerabilities We need to secure the in-vehicle network and isolate critical functionality

LOCK IT AND STILL LOSE IT ON THE (IN)SECURITY OF AUTOMOTIVE REMOTE KEYLESS ENTRY SYSTEMS

LOCK IT AND STILL LOSE IT ON THE (IN)SECURITY OF AUTOMOTIVE REMOTE KEYLESS ENTRY SYSTEMS FLAVIO GARCIA, DAVID OSWALD, TIMO KASPER, PIERRE PAVLIDES PRESENTED BY JACOB BEDNARD, WAYNE STATE UNIVERSITY CSC5991